PAIRINGS ON JACOBIANS OF HYPERELLIPTIC CURVES 



CHRISTIAN ROBENHAGEN RAVNSH0J 



Abstract. Consider the Jacobian of a hyperelliptic genus two curve defined 
over a finite field. Under certain restrictions on the endomorphism ring of 
the Jacobian, we give an explicit description of all non-degenerate, bilinear, 
anti-symmetric and Galois-invariant pairings on the Jacobian. From this de- 
scription it follows that no such pairing can be computed more efficiently than 
the Weil pairing. 

To establish this result, we need an explicit description of the representation 
of the Probenius endomorphism on the ^-torsion subgroup of the Jacobian. 
This description is given. In particular, we show that if the characteristic 
polynomial of the Probenius endomorphism splits into linear factors modulo i, 
then the Probenius is diagonalizable. 

Finally, under the restriction that the Probenius element is an element of a 
certain subring of the endomorphism ring, we prove that if the characteristic 
polynomial of the Probenius endomorphism splits into linear factors modulo £, 
then the embedding degree and the total embedding degree of the Jacobian 
with respect to £ are the same number. 



1. Introduction 

In [12], Koblitz described how to use elliptic curves to construct a public key 
cryptosystem. To get a more general class of groups, and possibly larger group 
orders, Koblitz [13] then proposed using Jacobians of hyperelliptic curves. Since 
Boney and Franklin [2] proposed an identity based cryptosystem by using the Weil 
pairing on an elliptic curve, pairings have been of great interest to cryptography [8]. 
The next natural step then was to consider pairings on hyperelliptic curves. Gal- 
braith et al [9] survey the recent research on pairings on hyperelliptic curves. 

The pairing in question is usually the Weil or the Tate pairing; both pairings 
can be computed with Miller's algorithm [Tgj. The Tate pairing is usually preferred 
because it can be computed more efficiently than the Weil pairing, cf. [7], and it is 
non-degenerate over a possible smaller field extension than the Weil pairing, cf. [TT] 
and [23]. For elliptic curves, in most cases relevant to cryptography the question 
of non-degeneracy is not an issue, cf. [T]. This result has been generalized to any 
abelian variety defined over a finite field by Rubin and Silverberg (2Ql Theorem 3.1]. 
The proof in [20] uses intrinsic properties of the Frobenius endomorphism on the 
abelian variety. This indicates the importance of knowing the representation of 
the Frobenius endomorphism on torsion subgroups of the abelian variety. This 
representation has implicitly been given by Ruck 1 2 1 L proof of Lemma 4.2]. 
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Cryptographically, it is essential to know the number of points on the Jacobian. 
Currently, the complex multiplication method [24, 121 S] is the only efficient method 
to determine the number of points of the Jacobian of a genus two curve defined over 
a large prime field [10J. The complex multiplication method constructs a Jacobian 
with endomorphism ring isomorphic to the ring of integers £>k in a quartic CM 
field K , i.e. a totally imaginary, quadratic field extension of a quadratic number 
field. In the present paper we consider the more general situation where Dk is 
embedded into the endomorphism ring. 

1.1. Notation and assumptions. Consider a hyperelliptic curve C of genus two 
defined over a finite field ¥ q of characteristic p. We assume that the Jacobian 3e 
of C is irreducible. Identify the g-power Frobenius endomorphism ip on de with a 
root to G C of the characteristic polynomial P <E Z[Jf] of p; cf. section 31 We then 
assume that the ring of integers of Q(w) is embedded into the endomorphism ring 
End(3e)- Let i ^ p be a prime number dividing the order of 3e(^q)- Assume that 
i is unramified in Q(ui), and that l\q — 1. 

1.2. Results. Under these assumptions, in section[5]we give an explicit description 
of all non-degenerate, bilinear, anti-symmetric, Galois-invariant pairings on the 
^-torsion subgroup of the Jacobian of a hyperelliptic curve of genus two, given by 
the following theorem. 

Theorem 5.1 (Anti-symmetric pairings). Let notation and assumptions be as 
above. Choose a basis 13 of 3e[(], such that p is represented either by a diagonal 
matrix or a matrix on the form given in theorem \4-.%\ with respect to 23. If 3e(^q)[i] 
is cyclic, then all non- degenerate, bilinear, anti- symmetric and Galois-invariant 
pairings on 3e [£] are given by the matrices 

a 0" 

-a 

6' 

u 0-6 

with respect to 23. 



£a,fc — 



a, be F* 



This result implies that the Weil pairing is non-degenerate on the same field 
extension as the Tate pairing, and that no non-degenerate, bilinear, anti- symmetric 
and Galois-invariant pairing on 3e[£\ can be computed more effectively than the Weil 
pairing. To end the description of pairings on de , in section [6] we give an explicit 
description of the Tate pairing. 

The proof of Theorem 15.11 uses an explicit description of the representation of 
the Frobenius endomorphism on the Jacobian of a hyperelliptic curve of genus two, 
given by the following theorem. 



Theorem 4.2 (Matrix representation) 
Then either ip is diagonalizable on 3e [ 
on the form 



M = 



Let notation and assumptions be as above. 
\, or ip is represented on 3e[£] by « matrix 



with c ^ q + 1 (mod €) with respect to an appropriate basis of 3t 
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Perhaps even more interestingly, we prove that if the characteristic polynomial of 
the Frobenius endomorphism splits into linear factors modulo i, then the Frobenius 
is diagonalizable. 

Theorem 4.7 (Diagonal representation). Let notation and assumptions be as 
above. Then tp is diagonalizable on 3e [£} if and only if the characteristic polynomial 
of ip splits into linear factors modulo £. 

The proofs are given in section [H Theorem 14.21 and 14.71 also hold if £ \ q — 1 and 
I is uneven. The proofs are similar in this case, but due to the MOV-attack [15] 
and the attack by Frey-Riick [6], the case £ | q — 1 is not of cryptographic interest. 
Therefore, this case is omitted. 

Finally, in section [7] we assume that the endomorphism ring of the Jacobian 
is isomorphic to the ring of integers in a quartic CM field K. Assuming that 
the Frobenius endomorphism under this isomorphism is given by an rj-integer and 
that the characteristic polynomial of the Frobenius endomorphism splits into linear 
factors over F^, we prove that if the discriminant of the real subfield of K is not 
a quadratic residue modulo £, then all £-torsion points are ¥ q k -rational. Here, k is 
the multiplicative order of q modulo £. 



2. Hyperelliptic curves 

A hyperelliptic curve is a smooth, projective curve 6 C P™ of genus at least two 
with a separable, degree two morphism (f> : G — > P 1 . Throughout this paper, let C 
be a hyperelliptic curve of genus two defined over a finite field ¥ q of characteristic p. 
By the Riemann-Roch Theorem there exists a birational map ip : G — > P 2 , mapping 
6 to a curve given by an equation of the form 

y 2 + g{x)y = h(x), 

where g, h g ¥ q [x] are polynomials of degree at most six [HI chapter 1]. 

The set of principal divisors 7(G) on C constitutes a subgroup of the degree zero 
divisors Divo(C). The Jacobian 3e of G is defined as the quotient 

0e = Div o (e)/?(e). 

The Jacobian is defined over ¥ q , and the points on 3e defined over the extension 
F q d is denoted 3e(^ q d )- 

Let i 7^ p be a prime number. The ^"-torsion subgroup 3e[£ n ] < 3e of elements 
of order dividing i n is then isomorphic to (Z/£ n Z) 4 , i.e. 3e[£ n ] is a Z/£"Z-module 
of rank four; cf. [HI Theorem 6, p. 109]. 

The multiplicative order of q modulo i plays an important role in cryptography. 

Definition (Embedding degree). Consider a prime number £ ^ p dividing the order 
of 3e(F q ). The embedding degree of 3e(P g ) with respect to I is the multiplicative 
order of q modulo t, i.e. the least number k, such that q k = 1 (mod I). 

Throughout this paper we consider a prime number £ ^ p dividing the order 
of 3e{¥q), and assume that 3e(V q ) is of embedding degree k > 1 with respect to £. 
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■dele 



71+ ll 



■2e[i 



n+ll 



■2e\e" 



Figure 1. Representation of an endomorphism ip € End(3e) 
on the Tate module Te(3e). The horizontal maps [£] are the 
multiplication- hj-£ map. 



Closely related to the embedding degree, we have the total embedding degree. 

Definition (Total embedding degree). Consider a prime number £ ^ p dividing 
the order of 3e{¥ q ). The total embedding degree of 3e{^ q ) with respect to £ is the 
least number k, such that 3e[£] C 3e(¥ q ^). 

Remark 2.1. If 3e[i] C 3eQF q «), then £ | cf. corollary 5.77, p. 111]. Hence, 

the total embedding degree is a multiple of the embedding degree. 

3. The tame Tate pairing 

Let F be an algebraic extension of ¥ q . Let x £ 3e{¥)[£] and y = J2i a iPi •= 3e(F) 
be divisors with disjoint support, and let y £ 3e(¥) / £3e(¥) denote the divisor class 
containing the divisor y. Furthermore, let f x € F(C) be a rational function on C 
with divisor div(/ x ) = tx. Set f x {y) = Uif( P i) ai - Then 

ee{x,y) = f x {y) 

is a well-defined pairing 3e(¥)[£] x 3 e (F)/^ e (F) — ► F X /(F X ) £ , the Tate pairing; 
cf. 0. 

Theorem 3.1. // the field F is finite and contains the £ th roots of unity, then the 
Tate pairing ei is bilinear and non-degenerate. 

Proof. Hess [TT] gives a short and elementary proof of this result. □ 

Now let F = F g fc . Raising to the power gives a well-defined element in the 
subgroup fi£ < F* k of the £ th roots of unity. This pairing 

et : Se(F qk )[£] x 3e(¥ qk )/£3e(¥ qk ) — » m 
is called the tame Tate pairing. 

Corollary. The tame Tate pairing et is bilinear and non-degenerate. 

4. Tate representation of the Frobenius endomorphism 

Let denote the ring of ^-adic integers. An endomorphism ip : 3e ~ > 8e induces 
a Zf-linear map 

i>i ■■ Tt(8e)->Ti(3e) 
on the £-adic Tate-module Te(3e) of 3e', cf. [IU chapter VII, §1]. The map ipt is 
given by -0 as described in figure [TJ Hence, -0 is represented on 3e[£] by a matrix 
M e Mat 4 (Ff). 
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Definition (Diagonal representation). An endomorphism ip G End(^e) is diago- 
nalizable or has a diagonal representation on 3e[£], if V 7 can be represented on 3e[£] 
by a diagonal matrix M G Mat4(F^) with respect to an appropriate basis of 3e[£]- 

Let / G 1\X] be the characteristic polynomial of ip, cf. [i"4l pp. 109-110], and 
let f(X) G F^[X] be the characteristic polynomial of the restriction of ip to 3e[£]- 
Then / is a monic polynomial of degree four, and by [Hj Theorem 3, p. 186], 

f(X) = f(X) (modi). 

Since C is defined over ¥ q , the mapping (x,y) i— > (x q ,y q ) is a morphism on C. 
This morphism induces the g-power Frobenius endomorphism </? on the Jacobian 3e- 
Let P be the characteristic polynomial of tp, Consider an algebraic integer oj G C 
with -P(w) = in C. By the homomorphism Z[u/] — > End(3g) given by w i— > (£> we 
will identify tp with oj. 

Since End(3e) is a finitely generated, torsion free Z-module [i~7] Theorem 1], we 
may define End Q (3 e ) = End(3 e ) ® Q. Notice that Q(uj) C End Q (0 e )- Throughout 
this paper we assume that £ is unramified in Q(w). 

Remark 4.1. It is well-known that ^ is unramified in if and only if £ divides 

the discriminant of the field extension Q(w)/Q; see e.g. [H Theorem 2.6, p. 199]. 
Hence, almost any prime number £ is unramified in Q(w). In particular, if I is large, 
then t is unramified in Q(u>). 

We prove the following theorem. 

Theorem 4.2 (Matrix representation). Let C be a hyperelliptic curve of genus two 
defined over a finite field ¥ q of characteristic p with irreducible Jacobian. Identify 
the q-power Frobenius endomorphism ip on 3e with a root weCo/ the characteristic 
polynomial P G 1\X] of p. Assume that the ring of integers of Q(u>) under this 
identification is embedded in End(3e)- Consider a prime number I ^ p dividing the 
order of 3e(F ? ). Assume that I is unramified in Q(u>), and that I \ q — 1. If tp is 
not diagonalizable on 3e[P\, then tp is represented on 3e[P\ by a matrix on the form 



(1) M = 



1 ' 

q 

-q 

1c 



with c ^ q + 1 (mod €) with respect to an appropriate basis of 3e [ 



The proof of theorem 14.21 uses a number of lemmas. At first we notice that if 
a power of an endomorphism is trivial on the ^-torsion subgroup of 3e , then so is 
also the endomorphism. 

Lemma 4.3. Let notation and assumptions be as in theorem \4-2\ Consider an 
endomorphism a G Q(lu). J/ker[£] C ker(a") for some number n G N, then ker[£] C 
ker(a). 

Proof. Since ker[£] C ker(a"), it follows that a n = £(5 for some endomorphism 
(3 G End(3e); see e.g. [H Remark 7.12, p. 37]. Notice that /3 = ^- G Q(u). Let 
/ G Z[X] be the characteristic polynomial of (3. Since /(/?) = and / is monic, (3 
is an algebraic integer. So (3 G whence a n G ££W W ). Since £ is unramified 

in Q(ui) by assumption, it follows that a G £Qq(w)> i- e - ker[£] C ker(a). □ 
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We will examine the representation of <p on 3e[ 
given by the following lemma. 



A first, basic observation is 



Lemma 4.4. Let notation and assumptions be as in theorem \4-S\ Then either 
3e{¥ q k)[£] is of dimension two as aVg-vectorspace, or all (-torsion points ofde are 
¥ q k -rational. 

Proof. By the non-degeneracy of the Tate pairing on 3e(F ? fc)[^], the dimension 
over Fi is at least two. If 3e(F q k)[£] is of dimension at least three over F^, then the 
restriction of the g^-power Frobenius endomorphism ip k to 2e(F q k)[l] is represented 
by a matrix on the form 

"10 mi 
1 m 2 
1 m 3 
m 4 



M = 



Notice that ttia — det M = deg((p k ) = q 2k = 1 (mod £). Thus, the characteristic 
polynomial of (p k satisfies P{X) = (X - l) 4 (mod i), i.e. ker[^] C ker((^ - l) 4 . By 



Lemma Hj] it follows that ker[£] C ket(ip k - 1). But then 3c 
^-torsion points of 8e are ¥„k -rational. 



C 3 e (F,*), i.e. all 
□ 



By [20l proof of Theorem 3.1] we know that 3e[£] as a vector space over F^ is 
isomorphic to a direct sum of (^-invariant subspaces. From this we get a partial 
description of the representation of ip on 3e [£} ■ 

Lemma 4.5. Let notation and assumptions be as in theorem \4-2\ We may choose a 
basis (xi, X2, X3, £4) of 3e[£], where <p(xi) — x\, tp(xi) = qx2 and ^(xs) € {x^,Xi). 
If f>{xz) $ (X3), then f can be represented on 3e[£] by a matrix on the form 



M = 







-q 

1 c 



// c = q + 1 (mod £), then ip is diagonalizable. 

Proof. Let P 6 F^[X] be the characteristic polynomial of the restriction of tp 
to 3e[P\- Since £ | |3e(F g )|, 1 is a root of P. Assume that 1 is an root of P 
with multiplicity d. Since the roots of P occur in pairs (a, q/a), also q is a root of 
P with multiplicity d. Hence, we may write 

P(X) = (X - l) d {X - q) d Q{X), 

where Q G F^ [X] is a polynomial of degree 4 — 2d, and <5(1) • Q(q) ^ (mod £). 
Let U = ker{ip - l) d , V = kcv{ip - q) d and W = ker(Q(<p)). Then U, V and W are 
(/^-invariant subspaces of the F^-vectorspace 3e[£], dimf f (U) = dimF,,(V") = d, and 
3 e [£] ~U@V@W. 

If d = 1, then choose Xi € 3e[£], such that U = (xi), V — (X2) and W = (X3, X4). 
Then (xi, X2, X3, X4) establishes the first part of the lemma. Hence, we may assume 
that d = 2. Now choose xi € U, such that <p{xi) — Xi, and expand this to a 
basis (xi,X2) of U. Similarly, choose a basis (x3,X4) of V with ^(£3) = 9x3. With 
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respect to the basis (xi, £2,^3, X4,), ip is then represented by a matrix on the form 



Notice that 



M 





"1 


a 





0" 









1 


















q 


P 















q_ 




"1 


ka 













1 


















1 


kq k 


-1 













1 



Hence, the restriction of ip k to 3e[£] has the characteristic polynomial (X — l) 4 , i.e. 
3e[£] C ae(F 9fc ). But then M k = I, whence a = (3 = (mod £). So if d = 2, then 
the first part of the lemma is established by [x\, X3, Xi,x±). Thus, the first part of 
the lemma is proved. 

Now choose a basis (ici, #2, 0:3, X4) of 3e[£] according to the first part of the 
lemma. Assume that <p{xz) £ (x 3 ). Then the set {xi,X2,x^,<f{x^)) is a basis 
of de[£\- With respect to this basis, ip is represented by a matrix on the given form. 
If c = q + 1 (mod £), then p is diagonalizable. □ 

Remark 4.6. Notice that if P{X) = (X — 1) 2 (X — q) 2 , then <p is represented by 
the diagonal matrix diag(l, 1, q, q) with respect to an appropriate basis of 3e[£], 
0e(Fg)[i] is bi-cyclic and 3e[Q S 3e(F 9 ,)- 

With lemma [4751 we can finally prove theorem 14.21 



Proof of theorem \4.2\ If <p{xs) £ 
form 



M 



(£3), then <p is represented by a matrix on the 



1 














q 














a 


p 











qa 1 



with respect to (xi, x%, X3, X4). If a 2 ^ q (mod £), then M is diagonalizable, i.e. ip 
can be represented by a diagonal matrix on 8e[£}- So assume that a 2 = q (mod £). 
Then 



M 2fc = 






2kor 1 p 
1 



i.e. the restriction of p> 2k to 3e[^] has the characteristic polynomial (X — l) 4 . But 
then 3e[£] C 3e(ff> t ) by Lemma O i.e. Af 2fe = J. So /3 = (mod £), and <^ is 
diagonalizable. 

Thus, if p> is not diagonalizable on 3e[£], then p{xz) £ (^3), whence y> is repre- 
sented on 3e [£] by a matrix on the form (U) with respect to an appropriate basis of 
3e[£}- ' □ 

Since the roots of the characteristic polynomial P of the Frobenius tp are all of 
absolute value ^/q, we can determine whether the Frobenius is diagonalizable on 
3e[£] directly from the roots of P modulo £. From this it follows that if P splits 
into linear factors modulo £, then the Frobenius is diagonalizable. 
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Theorem 4.7 (Diagonal representation). Let notation and assumptions be as in 
theorem \4-%\ Then if is diagonalizable on 3e[£] if and only if the characteristic 
polynomial of ip splits into linear factors modulo £. 

Proof. The "only if" part is trivial. We prove the "if" part. 

Let P € [X] be the characteristic polynomial of the restriction of ip to 3e[£]- 
Assume at first that 3e(¥ q )[£] is_cyclic. If P(X) = (X - 1) 2 {X_- qf , then 3e[£] 
is bi-cyclic by Remark So P(X) ^ (X - lf{X - qf. If P has only simple 
roots, then ip is diagonalizable. Hence, we may assume that P has a double root 
a e We. The roots of P occur in pairs (a,q/a). Thus, if a € {l,?}, then P(X) — 
(X — 1) 2 {X — q) 2 . So a ^ {1, q}, and it follows that <p can be represented on 3e[£] 
by a matrix on the form 





A I = 






Q 





where a = a (mod £). Let a K = 1 (mod £). Then 



1 














1 














1 


Ka K_1 











1 



'0 



i.e. the restriction of ip K to 3e[£] has the characteristic polynomial (X — 1) . But 
then 3e[£] C 0e(F q «) by Lemma EDS i.e. M K — I. So (3 = (mod f), and 95 is 
diagonalizable. 

Then assume that 3e{¥ q )[£] is bi-cyclic. Then 3e[£] C 3 e (F 9 ) by Lemma 
and it follows that 99 can be represented on 3e{ 

"10 
n 

M = 



by a matrix on the form 







□ 



As above, it follows that a = (mod £), whence <p is diagonalizable. 

Remark 4.8. Assume that P splits into linear factors modulo I. If 3e(F 9 )[-£] is 
cyclic, then ip is diagonalizable on 3e[£], and the the total embedding degree k of 
3e(F g ) with respect to £ is given by the multiplicative order of a root q £ F/ of P. 
If 3e[^] is not cyclic, then 3e[ 
easy to determine. 



C 3e(F ? fc) by Lemma l4~4l i.e. k — k. Hence, n is 



5. Anti-symmetric pairings on the Jacobian 
On 3e [£], a non-degenerate, bilinear, anti-symmetric and Galois- invariant pairing 
e : 3e[e] * 3e[i\ ^ W < F* 
exists, e.g. the Weil pairing. Since e is bilinear, it is given by 

e(x,y) = x T £y 

for some matrix £ S Mat^F^) with respect to a basis {x\, x%, X3, X4) of 3e[£]- Since 
£ is Galois-invariant, 

Vx, y e 0eM : e(jb, y) 9 = e(</?(x), ¥>(y)). 
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This is equivalent to 

Vx,y G 3e[Q ■ q(x T Ey) = (Mx) T Z{My), 

where M is the representation of <p on 3e[£] with respect to (xi, x 2 , x 3 , X4). Since 
{Mx) T E{My) = x T M T ZMy, from the Galois -invariance of e it follows that 

Vx,y g 3e[Z\ ■ x T q£y = x T M T lMy, 

or equivalently, that g£ = M T £M. 

Now let C be a primitive £ th root of unity. Let 

s(xi,x 2 )=C ai , e( Xl ,x 3 ) = C\ e(x 2l x 3 ) = ( a * and e(x 3 , x A ) = C 6 ■ 

Assume at first that (p is not diagonalizable on 3e[i]- By Galois- invariance and 
anti-symmetry we then see that 



£ = 






a\ 


«2 


qa 2 


-ai 





O4 


0,4 


-a 2 


— 0,4 





«■(> 


-qa 2 


—0,4 


-ae 






<?£, it follows that 

a 2 q(c - (1 + ?)) = a 4 q(c - (1 + g)) = (mod £). 
(mod £), cf. Theorem EUJ So 






ai 








-ai 




















ae 








— ae 






Since e is non-degenerate, a\a\ = det £ ^ (mod £). 

Now assume that ip is represented by a diagonal matrix diag(l, q, a, q/a) with 
respect to an appropriate basis (x±, x 2 , x 3 , X4) of 3e[£]- Let e(xi,X4) = £ aa and 
s(xi,X4) = C 5 . Then it follows from M T £M = g£ that 

02(0; — q) = a 3 (a — 1) = 04(0: — 1) = a$(a — q) = (mod £). 

If a = 1, q (mod £), then dei^q) is bi-cyclic. Hence the following theorem holds. 

Theorem 5.1 (Anti-symmetric pairings). Let G be a hyperelliptic curve of genus 
two defined over a finite field ¥ q of characteristic p with irreducible Jacobian. Iden- 
tify the q-power Frobenius endomorphism ip on 3e with a root u) G C of the charac- 
teristic polynomial P G 1\X] of p. Assume that the ring of integers ofQ(uj) under 
this identification is embedded in End(3e). Choose a basis 23 of 3e[£], such that ip is 
represented either by a diagonal matrix or a matrix on the form given in theorem \4-2\ 
with respect to 23. Consider a prime number £ 7^ p dividing the order of 3e(V q ). 
Assume that £ is unramified in Q(w), and that £\q—l. If 3e(¥ q )[£] is cyclic, then 
all non-degenerate, bilinear, anti- symmetric and Galois-invariant pairings on 3e [£} 
are given by the matrices 

' a 0' 

-a 
a ' fc ~ 6 
0-60 



Since M EM = 
Thus, a 2 = 04 = 



with respect to 23. 
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Corollary. Under the assumptions of theorem \5.1l 

(1) the Weil-pairing is non-degenerate on 3e(¥ q k)[l], and 

(2) no non-degenerate, bilinear, anti- symmetric and Galois-invariant pairing 
on 3e[£] x 3e[i] can be computed more than eight times as effective as the 
Weil-pairing. 

Proof. By a precomputation, a basis {x\ , X2, %3, £4) of 3e [£] can be found, such that 
the Weil-pairing is given by the matrix £1,1; cf. the notation of theorem 15.11 To 
compute the Weil-pairing of A, B £ 3e [(] , we only need to find the coordinates of A 
and B in this basis. Now assume that a non-degenerate, bilinear, anti-symmetric 
and Galois-invariant pairing e on 3e[P\ x 3e[^} exists, such that e can be computed 
more than eight times as effectively as the Weil-pairing. By a precomputation we 
can find the matrix representation & a ,b of e. Write A — J2i a i x i- Then 

a\ = — a~ 1 e(x2, A), 012 = aT e{x\, A), 

as = — 6 _1 e(x4, A), ot4 — b~ 1 e(x3, A). 

Similarly we find the coordinates of B. Hence, the Weil-pairing of A and B can be 
computed by at most eight pairing computations with e, a contradiction. □ 



6. Matrix representation of the tame Tate pairing 
The tame Tate pairing induces a pairing ti : 3e[i] x 3e[£] — > m by 

n(x,y) = et(x,y). 

In this section we will examine the matrix representation of this pairing. 

Let x,y £ 3e[(] = 3e(F g ~)[£] be divisors with disjoint support, and choose func- 
tions fx,.fy € ¥ q ^(C) with div(/ x ) = Ix and div(f y ) — iy. The Weil pairing 
et ■ 3e [£] x 3e [£] — > fit is then defined by 



Notice that 
(3) 



ee{x,y) 



__ My) 

fy(x) 

n(x,y) 
n[y,x) 



such that the Weil pairing 



Now choose an appropriate basis (xi, X2, X3, X4) of 3e[ 
is represented by the matrix 



W = 



with respect to this basis. Notice that x\ £ 3e(^q), so n(xi,xi) = 1. 
By |(3]) it follows that T£ is represented by a matrix on the form 



7 = 






1 








-1 




















1 








-1 









a x 


«2 


"3 


dl — 1 


di 


(I4 


a 5 


0,2 


a 4 


d 3 


«g 


0.3 


«5 


a 6 - 1 


eh 
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with respect to the basis (xi,X2,x 3 ,X4), Since Tg is Galois-invariant, it follows 
that M T 7M — q7, where M is the representation of <p on 3e[£] with respect to 

(xi,X2,X 3 ,X4). 

Assume at first that the Frobenius ip is not diagonalizable on 3e[£]- Then ip is 
represented by a matrix M on the form given in theorem 14. 2} and it follows from 
M T 7M = q7, that 



7 = 






Oi 








ai — 1 

















d 3 


ae 








a 6 — l 


qd 3 



where 2ae = d 3 c + 1 (mod £). 

Now assume that cp is represented by a diagonal matrix diag(l, q, a, q/a) with 
respect to an appropriate basis (x\, X2, X3, X4) of 8e[£]- It then follows that 

a, (a — q) = a,j(a — 1) = d,2(q — 1) = dj(a 2 — q) = (mod £) 

for i E {2,5} and j G {3,4}. Hence the following theorem is established. 

Theorem 6.1. Let G be a hyperelliptic curve of genus two defined over a finite 
field F q of characteristic p with irreducible Jacobian. Identify the q-power Frobenius 
endomorphism ip on 3e with a root u> E C of the characteristic polynomial P G 7L\X\ 
of f. Assume that the ring of integers ofQ(uj) under this identification is embedded 
in End(^e)- Consider a prime number £ 7^ p dividing the order of 3e(F q ). Assume 
that i is unramified in Q(u>), and that de(F q ) is of embedding degree k > 1 with 
respect to i. If 3e{F q )[£] is cyclic, then the tame Tate pairing is represented on 
3e[£] x 3e[£] by a matrix on the form 



7 = 






"1 








ai — 1 

















d 3 










a 6 -l 


f?4 



with respect to an appropriate basis of 3e [£} ■ Furthermore, the following holds. 

(1) If the q-power Frobenius endomorphism is not diagonalizable on 3e[£], then 
04 = qd 3 (mod £) and 2ae = d 3 c + 1 (mod £). 

(2) If the q-power Frobenius endomorphism is diagonalizable on 3e[£], and 
3e[£] % 3e(V q 2k), then d 3 = d 4 = (mod £). 

(3) Assume 3 e{F q k)[£] is bi- cyclic. 

(a) If £ z \\3e{V qk )\, then aijt 0,1 (mod £). 

(b) I}£ 3 j |a e (V)l and t 2 \ \3e(F q )\, then ai = (mod £). 

Proof. Write 3e(® qk )[£] = (a*) (x 2 ), where 3e(¥ q )[£] = (a*). If £ 2 \ |0 e (F,)| and 
£ 3 \ \3e{¥ qk )\, then 3e(W^e( F 9 <0 ~ 3e(V)[4 B Y Theorem EH it then follows 
that ai # 0,1 (mod £). On the other hand, if £ 3 \ \3e(^ q ")\, then x 2 S £3e(^ q k), 
i.e. ai = (mod £). □ 

Corollary. Assume £ 3 j |^Je (IF^fc ) | . 7/ £/ie Frobenius is not diagonalizable on 3e[£], 
then either 

(1) a pomi x 6 3eM wii/i r^(a;,x) ^ 1 exists, or 

(2) T£ is non-degenerate on 3e[£\- 
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Proof. Choose an appropriate basis (x\,X2,xa, x 4 ) of 3<z[t], such that the Frobenius 
is represented by a matrix M on the form given in theorem l4~2l and n is represented 
by a matrix 7 on the form given in Theorem 16.11 with respect to this basis. Since 
M T 7M = ql, it follows that d 3 c = 2a e - 1 (mod I). Hence, if 2a 6 ^ 1 (mod £), 
then c?3 ^ (mod £), and r is a self-pairing on 3e[£}- If 2ci6 = 1 (mod €) and d,3 = 
(mod £), then is non-degenerate on 3e[£]- O 



In this section we assume that the endomorphism ring of the Jacobian is iso- 
morphic to the ring of integers in a quartic CM field K, i.e. a totally imaginary, 
quadratic field extension of a quadratic number field. Assuming that the Frobe- 
nius endomorphism under this isomorphism is given by an rj-integer and that the 
characteristic polynomial of the Frobenius endomorphism splits into linear factors 
over ¥i, we prove that if the discriminant of the real subfield of K is not a quadratic 
residue modulo £, then all ^-torsion points are ¥ q k -rational. 

7.1. Complex multiplication. An elliptic curve E with Z ^ End(i?) is said to 
have complex multiplication. Let K be an imaginary, quadratic number field with 
ring of integers Ok- K is a CM field, and if End(i?) ~ Ok, then E is said to have 
CM by Ok- More generally a CM field is defined as follows. 

Definition (CM field). A number field if is a CM field, if if is a totally imaginary, 
quadratic extension of a totally real number field Kq. 

We only consider quartic CM field, i.e. CM fields of degree [K : Q] = 4. 

Remark 7.1. Consider a quartic CM field K. Let Kq = K n K be the real subfield 
of K. Then K is a real, quadratic number field, K — Q(yD). By a basic result 
on quadratic number fields, the ring of integers of K is given by Ok = ^ + £Z, 
where 



Since if is a totally imaginary, quadratic extension of ifo, a number r/ e K exists, 
such that K — Ko(rj), ij 2 g Kq. The number r\ is totally imaginary, and we may 
assume that rj = irjQ, rjo S K. Furthermore we may assume that — rj 2 S Ok \ so 
i] = i\Ja + 6£, where a, b € 1. 

Let C be a hyperelliptic curve of genus two. Then C is said to have CM by Ok, 
if End(3e) ~ Ok- The structure of K determines whether 3e is irreducible. More 
precisely, the following theorem holds. 

Theorem 7.2. Let G be a hyperelliptic curve of genus two with End(3e) — Ok, 
where K is a quartic CM field. Then 3e is reducible if and only if K/Q is Galois 
with bi-cyclic Galois group. 

Proof. [22l proposition 26, p. 61]. □ 
Theorem 17.21 motivates the following definition. 



7. Complex multiplication curves 




VD, ifD^l (mod 4), 
i±^, if£>=l (mod 4). 



Definition (Primitive, quartic CM field). A quartic CM field K is called primitive 
if either K/Q is not Galois, or K/Q is Galois with cyclic Galois group. 
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7.2. Jacobians with complex multiplication. The CM method for constructing 
curves of genus two with prescribed endomorphism ring is described in detail by 
Weng [24], Gaudry et al [10J and Eisentrager and Lauter [4]. In short, the CM 
method is based on the construction of the class polynomials of a primitive, quartic 
CM field K with real subfield Kg of class number h(Ko) = 1. The prime power q 
has to be chosen such that q = xx for a number x E Ok- By [24] we will restrict 
ourselves to the case x e Ok + V&k - 

Now assume that 3e has CM by a primitive, quartic CM field K — Q(i]), where 
i] = i\/a + 6£ and 

\V~D HD^l (mod 4) 



(4) 



l + VD 



if D = 1 (mod 4) 



Here, D is a square-free integer, and Kq — Q(yD). 

Definition (rj- integer) . An integer a € Ok is an 77-integer, if a G Ok + V^k - 

If the g-power Frobenius endomorphism p under the isomorphism End(3e) — Ok 
is given by an 77-integer uj, then we can express the characteristic polynomial P of 
(p in terms ui. Together with Remark 14.61 it follows from this that if P splits into 
linear factors over and D is not a quadratic residue modulo I, then all f-torsion 
points are ¥ q k -rational. This result is given by the following theorem. 

Theorem 7.3. Let G be a hyperelliptic curve of genus two defined over a finite 
field F q of characteristic p and with End(3e) — Ok, where K is a primitive, quar- 
tic CM field with real subfield Q(a/D)- Assume that the q-power Frobenius endo- 
morphism tp under this isomorphism is given by an r\-integer uj. Consider a prime 
number I 7^ p dividing \3e(F q )\. Assume that £ is unramified in <Q(w), and that the 
characteristic polynomial P of the restriction of tp to 3e[£] splits into linear factors 
over ¥1. Let k be the multiplicative order of q modulo i. If D is not a quadratic 
residue modulo i, then all the i-torsion points of 3e are ¥ q k -rational. 

Proof. Write 

u — ci + c 2 £ + (C3 + c^)rj, a e Z. 

Since D is not a quadratic residue modulo i, it follows by lemma EH that c-i = 
(mod I) and P(X) = (X - 1) 2 (X - q) 2 . By theorem 0~2 it then follows that if 
q ^ 1 (mod £), then the g-power Frobenius endomorphism is represented by the 
diagonal matrix diag(l, 1, q, q) on 3e[£) with respect to an appropriate basis, whence 
3e[e\ C 3e(¥ q k). On the other hand, j£q=l (mod £), then P(X) = {X - l) 4 , i.e. 
also in this case 3e[£] C 3e(¥ q k). □ 

Lemma 7.4. Let notation and assumptions be as in theorem \7.3[ Write 
uj = a + c 2 £ + (c 3 + c 4 ^)?7, c H e Z. 

(1) If C2 ^ (mod I), then D is a quadratic residue modulo i. 

(2) J/ca = (mod I), then P(X) = (X - l) 2 (X - q) 2 . 

Proof. At first, assume that D ^ 1 (mod 4). Since the conjugates of u are given 
by uji = uj, u>2 = 0J1, UJ3 and U4 =0)3, where 



W3 



= c\ — C2VD + i(cz — C4a/D)\/ a — b\F~D 
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it follows that the characteristic polynomial of <p is given by 

4 

P(X) = ]J(X - uji) = X 4 - 4 Cl X 3 + (2 g + 4(c 2 - c\D))X 2 - Ac iq X + q 2 . 
i=i 

Dividing P(X) by (X -i)(X- q) it then follows that aX + (3 = (mod t), where 

(3 = q{-q 2 + (4ci - 2)q + (-1 + 4c 2 D - Ac 2 + 4ci)) (mod I) 

Since (3 = (mod £), it follows that Ac\D = (2cj - q -_1) 2 (mod £). So if c 2 = 
(mod £), then 2ci ee q + 1 (mod £), and it follows that P(X) = {X - l) 2 (X - q) 2 . 
If D = 1 (mod 4), then 



1-VD . ( i-Vd\ / a-Vd 

^3 = ci +c 2 hi I C3 + C4 - I \ la + b , 

and it follows that the characteristic polynomial of ip is given by 

P{X) =X i - 2cX 3 + (2q + c 2 - c 2 2 d)X 2 - 2qcX + q 2 , 

where c = 2c 1 +c 2 . Dividing P(X) by {X-l)(X-q) it then follows that aX+fl = 
(mod where 

f3 = -q(q 2 + (2 - 2c)q + (1 - 2c + c 2 - c 2 2 D)) (mod f). 

Since (3 = (mod £), it follows that c\D = (c - q - l) 2 (mod £). As before it then 
follows that if c 2 = (mod I), then P{X) = (X - 1) 2 (X - q) 2 . □ 
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